[Snort-openappid] Gmail detection

Mike Stepanek (mstepane) mstepane at ...5...
Fri Nov 7 15:57:23 EST 2014

Sabu -

Correct.  Your IE and Firefox are backing off to SSLv3 when their TLS attempt is being blocked.  Unfortunately, the SSLv3 handshake is skirting our detector.  Chrome, however, is not backing off to SSLv3, so it's effectively blocked.  This is being worked on and will be fixed in a future release.

Thanks for the feedback!

- Mike Stepanek
   mstepane at ...5...

From: Sabu Thaliyath [mailto:sabu.thaliyath at ...8...]
Sent: Monday, November 03, 2014 8:12 AM
To: Costas Kleopa (ckleopa)
Cc: Snort-openappid at lists.sourceforge.net
Subject: Re: [Snort-openappid] Gmail detection

Hi Costas,

I tried "-k none" and "-P 9000" options also but no luck again.

However, I have a new observation this time. I see gmail getting blocked when I used Chrome38 browser but not while using IE10 or Firefox27. I tried with old as well as new detector and found that gmail is blocked on both when I use Chrome.

Here are my rules (drop rule) :-

drop tcp [any] any <> any any (msg : "bing:drop"; appid: bing; sid:100000; rev:4; )
drop udp [any] any <> any any (msg : "bing:drop"; appid: bing; sid:100004; rev:4; )
drop tcp [any] any <> any any (msg : "gmail:drop"; appid: gmail; sid:100010; rev:4; )
drop udp [any] any <> any any (msg : "gmail:drop"; appid: gmail; sid:100014; rev:4; )
drop tcp [any] any <> any any (msg : "google_accounts:drop"; appid: google_accounts; sid:100017; rev:4; )
drop udp [any] any <> any any (msg : "google_accounts:drop"; appid: google_accounts; sid:100018; rev:4; )
drop tcp [any] any <> any any (msg : "google_drive:drop"; appid: google_drive; sid:100019; rev:4; )
drop udp [any] any <> any any (msg : "google_drive:drop"; appid: google_drive; sid:100020; rev:4; )
I am attaching here in this email

1) Alert and Drop output of gmail   (both from IE and Chrome)
2) Alert and drop Pcap files (both from IE and Chrome)


On Sun, Nov 2, 2014 at 5:54 AM, Costas Kleopa (ckleopa) <ckleopa at ...5...<mailto:ckleopa at ...5...>> wrote:
Have you tried using in your snort command line argumes the "-k none” for
not ignoring bad checksums, and “-P 9000” to allow packets with large PDU
traffic in it?

If that did not work please send us the snort rules you are using with AppID,
some traffic with the alert output of the gmail rules and we will investigate it into detail.


On Nov 1, 2014, at 8:18 AM, Sabu Thaliyath <sabu.thaliyath at ...8...<mailto:sabu.thaliyath at ...8...>> wrote:
Hi Costas,

Thanks..I downloaded the new version but still no luck ..It detects http sites perfectly but not https.
I tried http://mail.google.com and it blocked however it is unable to block https://mail.google.com .

Here is how my environment is setup.  (Just in case if env is the issue)
Windows 7, IE 10 & FF 27 browsers as my client system
Linux Fedora 13 system as my default gateway with snort-openappid installed.

[root at ...50... openappid]# cat odp/version.conf
[root at ...50... openappid]#

Version GRE (Build 149)
Using libpcap version 1.0.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3
Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.4  <Build 1>

Here is the log of http website

Nov  1 17:38:26 Fedora13 snort[2819]: [1:100010:4] appid_gmail:block {TCP}<> -><>
Just to be sure, I am going to try it on latest Ubuntu.
If OS is not an issue here, then please let me know if there is any troubleshooting steps or logs I can get to help resolve this issue.

On Fri, Oct 31, 2014 at 10:16 PM, Costas Kleopa (ckleopa) <ckleopa at ...5...<mailto:ckleopa at ...5...>> wrote:

We have actually released a new version of our detector package today at https://www.snort.org/downloads, in which we have also included the fix for this issue.

Feel free to download that one and make sure that your version of the odp package would be the following:



Let us know if you are still seeing more issues after you test it with this one.


From: Sabu Thaliyath <sabu.thaliyath at ...8...<mailto:sabu.thaliyath at ...8...>>
Date: Friday, October 31, 2014 at 12:35 PM
To: "Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at lists.sourceforge.net>" <Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at lists.sourceforge.net>>
Subject: Re: [Snort-openappid] Gmail detection

Hi Costas,

I am facing the same issue as Payman. Tried tweaking ' openappid/odp/lua/ssl_host_group_belvedere.lua ' to get gmail blocked. But no luck. I see none of the https websites or applications getting blocked.

Is there any documentation on how lua/ssl_host_group_belvedere.lua works ? I read Opensource Detectors developer guide but still couldn't figure out much.

Any plans to fix this issue ?


Re: [Snort-openappid] Gmail detection<http://sourceforge.net/p/snort/mailman/message/32704933/>
From: Costas Kleopa (ckleopa) <ckleopa at ...49...> - 2014-08-11 14:45:14


Thank you for bringing it to our attention.

The correct configuration files for gmail are with the use of the the SSL Host patterns.

If you see the openappid/odp/lua/ssl_host_group_belvedere.lua we have the following patterns now.

 { 0, 655, '*.mail.google.com<http://mail.google.com/>' },

 { 0, 655, 'imap.gmail.com<http://imap.gmail.com/>' },

We will put the fix for this in our next release to allow the proper SSL patterns from gmail.com<http://gmail.com/> and mail.google.com<http://mail.google.com/>.



From: Peyman Gohari <peyman.gohari.pub at ...39...<mailto:peyman.gohari.pub@<mailto:peyman.gohari.pub@>...>>

Date: Monday, August 11, 2014 at 10:04 AM

To: "snort-openappid at ...39...<mailto:snort-openappid@<mailto:snort-openappid@>...>" <snort-openappid at ...39...<mailto:snort-openappid@<mailto:snort-openappid@>...>>

Subject: [Snort-openappid] Gmail detection


  I have been trying OpenAppId using snort-

  I am quite happy with the result when it comes to detecting non HTTPS sites (ex:cnn.com<http://cnn.com/><http://cnn.com><http://cnn.com%3E/>; as per the tutorial).

  However, for an obscure reason, it does not recognise Gmail. It seems that the code used for detecting Gmail sits in openappid/odp/lua/payload_gmail_userid.lua, with the core function being:

function DetectorInit(detectorInstance)

    gDetector = detectorInstance

    if (gDetector.CHPCreateApp and gDetector.CHPAddAction) then

        gDetector:CHPCreateApp(655, 1, 0);

        gDetector:CHPAddAction(655, 1, 1, "mail.google.com<http://mail.google.com/><http://mail.google.com>"<http://mail.google.com%3E%22/>;, 0, "");

        gDetector:CHPAddAction(655, 0, 3, "mail", 0, "");

        gDetector:CHPAddAction(655, 0, 3, "?gxlu=", 2, "&");


    return gDetector


  I am curious to understand how the recognition of sites like Gmail works. I am looking for documentation on the function CHPCreateApp or any explanation on how the function DetectorInit works. If someone can help me, that would be great.

Thanks for your help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20141107/c94a6bba/attachment.html>

More information about the Snort-openappid mailing list